Open zzjin opened 1 week ago
cc @2456868764
The simple way: add parse logic with CredentialConfig.TLSSecret
, eg support "sealos-system/wildcard-cert" instead of "wildcard-cert" for higress-system
namespace.
automaticHttps: false
fallbackForInvalidSecret: true
acmeIssuer:
- email: cloud@sealos.io
name: letsencrypt
renewBeforeDays: 1
credentialConfig:
- domains:
- '*.sealos.io'
- 'sealos.io'
tlsSecret: sealos-system/wildcard-cert
# tlsSecret: wildcard-cert
But here comes the conflict:
when user also set AutomaticHttps=true
alongside with namespace-ed tlsSecret
, the SecretMgr
cannot support it since it can only update and manage secret under higress-system
own namespace.
https://github.com/alibaba/higress/blob/main/pkg/cert/secret.go#L48-L70
I am inclined to enable automatic HTTPS, maintaining consistent behavior, which also entails writing to the designated namespace's secret. It should be noted that this requires adjusting the clusterrole to grant higress access to write to secrets in other namespaces.
Why do you need it?
CredentialConfig
can not use other namespace's TLS secret.How could it be?
users can set other namespaces secrets for domains.
Other related information
kubernetes's
ingress-nginx
controller can use--default-ssl-certificate
like "default/secret". @see: https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate